SQLYog MySQL HTTP Tunnel Detection

Medium Nessus Network Monitor Plugin ID 3804

Synopsis

The remote host is running an inherently insecure protocol or application.

Description

The remote host is running a MySQL database. In addition, a PHP script is installed that allows MySQL connections to be tunneled over HTTP. This sort of connection is typically utilized when the database administrator does not have access to connect to the database from remote locations. The tunnel does not use any sort of encryption and exposes credentials to passive sniffing. In addition, as the PHP script connects to the database from the localhost, database authentication does not look for the originating IP address within the GRANT tables but instead uses the server IP as the originating source. Not only does the script allow database admins to bypass firewall restrictions and log in insecurely, it also exposes the database to brute-force attacks from anonymous users.

Solution

For remote database administration, choose a method of connection that is restricted to only trusted sources and encrypts the authentication credentials.

See Also

http://www.webyog.com/en

Plugin Details

Severity: Medium

ID: 3804

Family: Backdoors

Published: 2006/11/03

Modified: 2016/01/15

Dependencies: 1442

Risk Information

Risk Factor: Medium